check for sensitive property name

Author: edvraa

javascript/ql/src/semmle/javascript/security/InsecureCookie.qll

@@ -53,7 +53,8 @@ module Cookie {
       exists(string val |
         (
           val = expr.getStringValue() or
-          val = expr.asExpr().(VarAccess).getName()
+          val = expr.asExpr().(VarAccess).getName() or
+          val = expr.(DataFlow::PropRead).getPropertyName()
         ) and
         regexpMatchAuth(val)
       )

javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected

@@ -14,3 +14,4 @@
 | test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |

javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js

@@ -96,6 +96,17 @@ app.get('/a', function (req, res, next) {
     res.end('ok')
 })
 
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let o = { session: "blabla" }
+    res.cookie(o.session, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
 app.get('/a', function (req, res, next) {
     let options = {
         maxAge: 9000000000,